National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): Wordpress
  • Search Type: Search All
There are 2,926 matching records.
Displaying matches 1821 through 1840.
Vuln ID Summary CVSS Severity
CVE-2016-4566

Cross-site scripting (XSS) vulnerability in plupload.flash.swf in Plupload before 2.1.9, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via a Same-Origin Method Execution (SOME) attack.

Published: May 21, 2016; 09:59:30 PM -04:00
V3.0: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2016-2222

The wp_http_validate_url function in wp-includes/http.php in WordPress before 4.4.2 allows remote attackers to conduct server-side request forgery (SSRF) attacks via a zero value in the first octet of an IPv4 address in the u parameter to wp-admin/press-this.php.

Published: May 21, 2016; 09:59:15 PM -04:00
V3.0: 8.6 HIGH
    V2: 5.0 MEDIUM
CVE-2016-2221

Open redirect vulnerability in the wp_validate_redirect function in wp-includes/pluggable.php in WordPress before 4.4.2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a malformed URL that triggers incorrect hostname parsing, as demonstrated by an https:example.com URL.

Published: May 21, 2016; 09:59:14 PM -04:00
V3.0: 7.4 HIGH
    V2: 5.8 MEDIUM
CVE-2016-1564

Multiple cross-site scripting (XSS) vulnerabilities in wp-includes/class-wp-theme.php in WordPress before 4.4.1 allow remote attackers to inject arbitrary web script or HTML via a (1) stylesheet name or (2) template name to wp-admin/customize.php.

Published: May 21, 2016; 09:59:13 PM -04:00
V3.0: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2015-8834

Cross-site scripting (XSS) vulnerability in wp-includes/wp-db.php in WordPress before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a long comment that is improperly stored because of limitations on the MySQL TEXT data type. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-3440.

Published: May 21, 2016; 09:59:04 PM -04:00
V3.0: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2015-7989

Cross-site scripting (XSS) vulnerability in the user list table in WordPress before 4.3.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted e-mail address, a different vulnerability than CVE-2015-5714.

Published: May 21, 2016; 09:59:03 PM -04:00
V3.0: 5.4 MEDIUM
    V2: 3.5 LOW
CVE-2015-5715

The mw_editPost function in wp-includes/class-wp-xmlrpc-server.php in the XMLRPC subsystem in WordPress before 4.3.1 allows remote authenticated users to bypass intended access restrictions, and arrange for a private post to be published and sticky, via unspecified vectors.

Published: May 21, 2016; 09:59:02 PM -04:00
V3.0: 4.3 MEDIUM
    V2: 4.0 MEDIUM
CVE-2015-5714

Cross-site scripting (XSS) vulnerability in WordPress before 4.3.1 allows remote attackers to inject arbitrary web script or HTML by leveraging the mishandling of unclosed HTML elements during processing of shortcode tags.

Published: May 21, 2016; 09:59:01 PM -04:00
V3.0: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2016-1209

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via crafted serialized values in a POST request.

Published: May 14, 2016; 11:59:03 AM -04:00
V3.0: 9.8 CRITICAL
    V2: 7.5 HIGH
CVE-2016-1160

Cross-site scripting (XSS) vulnerability in the WP Favorite Posts plugin before 1.6.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Published: March 25, 2016; 09:59:00 PM -04:00
V3.0: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2016-2314

GlobespanVirata ftpd 1.0, as used on Huawei SmartAX MT882 devices V200R002B022 Arg, allows remote authenticated users to cause a denial of service (device outage) by using the FTP MKD command to create a directory with a long name, and then using certain other commands.

Published: February 14, 2016; 09:59:19 PM -05:00
V3.0: 4.9 MEDIUM
    V2: 6.3 MEDIUM
CVE-2016-2231

The Windows-based Host Interface Program (WHIP) service on Huawei SmartAX MT882 devices V200R002B022 Arg relies on the client to send a length field that is consistent with a buffer size, which allows remote attackers to cause a denial of service (device outage) or possibly have unspecified other impact via crafted traffic on TCP port 8701.

Published: February 14, 2016; 09:59:18 PM -05:00
V3.0: 9.8 CRITICAL
    V2: 9.0 HIGH
CVE-2015-5471

Absolute path traversal vulnerability in include/user/download.php in the Swim Team plugin 1.44.10777 for WordPress allows remote attackers to read arbitrary files via a full pathname in the file parameter.

Published: January 12, 2016; 02:59:03 PM -05:00
V3.0: 5.3 MEDIUM
    V2: 5.0 MEDIUM
CVE-2015-4703

Absolute path traversal vulnerability in mysqldump_download.php in the WordPress Rename plugin 1.0 for WordPress allows remote attackers to read arbitrary files via a full pathname in the dumpfname parameter.

Published: January 12, 2016; 02:59:02 PM -05:00
V3.0: 5.3 MEDIUM
    V2: 5.0 MEDIUM
CVE-2014-7151

Multiple cross-site scripting (XSS) vulnerabilities in the NEX-Forms Lite plugin 2.1.0 for WordPress allow remote attackers to inject arbitrary web script or HTML via the form_fields parameter in a (1) do_edit or (2) do_insert action to wp-admin/admin-ajax.php.

Published: January 08, 2016; 04:59:01 PM -05:00
V3.0: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2014-6444

Multiple cross-site scripting (XSS) vulnerabilities in the Titan Framework plugin before 1.6 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) t parameter to iframe-googlefont-preview.php or the (2) text parameter to iframe-font-preview.php.

Published: January 08, 2016; 04:59:00 PM -05:00
V3.0: 6.1 MEDIUM
    V2: 4.3 MEDIUM
CVE-2015-4694

Directory traversal vulnerability in download.php in the Zip Attachments plugin before 1.5.1 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the za_file parameter.

Published: January 08, 2016; 03:59:01 PM -05:00
V3.0: 8.6 HIGH
    V2: 5.0 MEDIUM
CVE-2015-7791

Multiple SQL injection vulnerabilities in admin.php in the Collne Welcart plugin before 1.5.3 for WordPress allow remote authenticated users to execute arbitrary SQL commands via the (1) search[column] or (2) switch parameter.

Published: December 29, 2015; 05:59:06 PM -05:00
V3.0: 6.3 MEDIUM
    V2: 6.5 MEDIUM
CVE-2015-7527

lib/core.php in the Cool Video Gallery plugin 1.9 for WordPress allows remote attackers to execute arbitrary code via shell metacharacters in the "Width of preview image" and possibly other input fields in the "Video Gallery Settings" page.

Published: December 17, 2015; 02:59:04 PM -05:00
    V2: 7.5 HIGH
CVE-2015-5734

Cross-site scripting (XSS) vulnerability in the legacy theme preview implementation in wp-includes/theme.php in WordPress before 4.2.4 allows remote attackers to inject arbitrary web script or HTML via a crafted string.

Published: November 09, 2015; 06:59:06 AM -05:00
    V2: 4.3 MEDIUM